--- name: Copilot Readiness Assessment description: Scores a Microsoft 365 tenant for Copilot readiness across licensing, sensitivity labelling, oversharing, Conditional Access and audit retention, mapped to Essential Eight. --- # Copilot Readiness Assessment > **TL;DR:** This skill produces a read-only maturity scorecard that tells you whether a Microsoft 365 tenant is ready to safely activate Microsoft 365 Copilot or Microsoft Agent 365, and what to remediate first. ## What does the Copilot readiness assessment check? The skill scores a Microsoft 365 tenant against the AT.10xxx Copilot readiness control family so an organisation can decide whether to proceed, defer, or remediate before activating Microsoft 365 Copilot or a Microsoft Agent 365 rollout. It examines the controls that most directly govern human-AI collaboration: Copilot licensing coverage, Microsoft Purview sensitivity labelling reach across SharePoint and OneDrive, the SharePoint oversharing baseline that determines what Copilot can surface, Microsoft Entra Conditional Access posture, and Unified Audit Log retention. The result is a defensible readiness position grounded in your current cloud configuration rather than an assumption that the tenant is safe. ## When should you run this skill? - "Assess M365 Copilot readiness" - "Is this tenant Copilot-ready?" - "Score our tenant against AT.10xxx" - "Pre-rollout review for Microsoft Agent 365" ## Policy defaults and baselines | Control area | Baseline target | |---|---| | Licensing | Microsoft 365 E3/E5 plus Copilot SKU coverage | | Sensitivity labelling | 70%+ coverage on sites holding sensitive content | | SharePoint sharing | No broad "Anyone" links on sensitive sites | | Conditional Access | MFA on all interactive logins; device compliance for licensed users | | Audit retention | Unified Audit Log enabled, 365 days minimum | ## How this skill works, step by step 1. Confirm licensing baseline: Microsoft 365 E3/E5 plus Copilot SKU coverage. 2. Measure sensitivity labelling coverage across SharePoint and OneDrive (target: 70%+ on sites holding sensitive content). 3. Run a SharePoint oversharing baseline: Anyone links, broad sharing. 4. Confirm Conditional Access posture: MFA on all interactive logins, device compliance for licensed users. 5. Confirm the Unified Audit Log is enabled and retention meets the 365-day minimum. 6. Score each AT.10xxx control: Met / Partial / Not Met. 7. Calculate overall maturity: Ready / Conditional / Defer. 8. Produce the scorecard and remediation action list. ## Output format | AT.10xxx Control | Description | Status | Evidence | Remediation | Followed by: - Overall maturity: Ready / Conditional / Defer - Top three remediation actions with owner and target date - Estimated weeks to readiness ## Scope and safety Read-only by default; the skill never changes tenant configuration. This skill does NOT: - Activate Copilot or assign licences. - Modify tenant configuration (read-only). - Replace a formal IRAP or ISO 27001 assessment. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Microsoft 365 Copilot or Microsoft Agent 365 activation being assessed | Microsoft 365 Copilot add-on on Microsoft 365 E3/E5 | | Microsoft Purview sensitivity labelling coverage check | Microsoft 365 E5 (or E5 Information Protection and Governance) | | Microsoft Entra Conditional Access posture check | Microsoft Entra ID P1 | ### Least-privilege roles - Global Reader — read-only visibility across the tenant for the readiness scoring. - Reports Reader — read licence assignment and usage data. ### Microsoft Graph permissions (read-only) - `Directory.Read.All` — reads tenant directory, including assigned Copilot licences. - `Policy.Read.All` — reads Microsoft Entra Conditional Access policies. - `Sites.Read.All` — reads SharePoint and OneDrive sharing and sensitivity-label coverage signals. - Unified Audit Log retention and Microsoft Purview sensitivity-label policies are read via the Microsoft Purview portal or Exchange Online PowerShell rather than Microsoft Graph. ## Sources and compliance - Aligned to ASD Essential Eight Control 6: User Application Hardening. - Supports E8 ML2 evidence for Control 6 (user application hardening of AI surfaces). - Aligned to Microsoft 365 Copilot GA and Microsoft Agent 365 GA. - Reference: [https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-overview](https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-overview) - Pair with a DSPM for AI remediation plan when the oversharing baseline fails. - Output in Australian English.